在ingress中使用https证书

1.介绍

http：在我们中的网站数据的传输是未加密的，可以通过相关的抓包工具对数据进行分析窃取相关的账号密码，属于不安全的，且默认使用80端口

https：通过SSL/TLS加密协议对数据进行加密，确保数据传输的安全性和完整性，默认使用443端口。

2.应用目标

通过使用let’s encrypt申请更新ssl证书，且通过ssl证书在线进行ingress证书的创建，使通过https 的ingress访问

3.https证书如何免费生成

Certbot是一个流行的工具，用于从Let’s Encrypt自动获取和续订SSL证书。虽然Certbot原生支持多种DNS提供商，但官方插件并不包括阿里云DNS。社区已经开发了相应的插件，使得我们可以通过Certbot来管理和续订使用阿里云以及华为云等DNS的SSL证书

安装certbot

sudo apt install certbot python3-certbot-nginx
root@manage-jumpserver-1:/etc/nginx/sites-available# certbot -h

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:

ssl泛域名生成

利用certbot生成对应的泛域名证书（这里需要添加对应的dns解析如：aliyun的dns，华为云的dns）

certbot certonly –manual –preferred-challenges dns -d
devapps.hw-k8s.efssc.assistfc.com -d *
.devapps.hw-k8s.efssc.assistfc.com #生成泛域名命令

  root@manage-jumpserver-1:~# certbot certonly --manual --preferred-challenges dns -d devapps.hw-k8s.efssc.assistfc.com -d *.devapps.hw-k8s.efssc.assistfc.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for devapps.hw-k8s.efssc.assistfc.com
dns-01 challenge for devapps.hw-k8s.efssc.assistfc.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.devapps.hw-k8s.efssc.assistfc.com with the following value:

pdHXByymHRV-r1TVQAecDAWT8Yi_K7yZMS3YYpBTD54      //添加对应的解析在域名解析服务器上（TXT record ） 

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue    //确认后继续添加对应的解析（TXT record ）
*****************************************************************
  ********************************************************************
  *************************************************************
  Please deploy a DNS TXT record under the name
_acme-challenge.devapps.hw-k8s.efssc.assistfc.com with the following value:

L2evSro_dFl5lilIsOg3GonY7RZwmWtQCoshIxfAHZw

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue      //验证解析是否完成，确保解析正常后进行回车确认

验证解析命令

nslookup -q=TXT _acme-challenge.devapps.hw-k8s.efssc.assistfc.com

root@manage-jumpserver-1:~# nslookup -q=TXT _acme-challenge.devapps.hw-k8s.efssc.assistfc.com
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
_acme-challenge.devapps.hw-k8s.efssc.assistfc.com       text = "j7y7oU014o2Ttr53LvUlzbsiryntf_em4yB9KB9L6fI"
_acme-challenge.devapps.hw-k8s.efssc.assistfc.com       text = "4rtXLrQhPqAtV5vO8sHGfJ38PxTx00rkgkqr5nIZUg0"

Authoritative answers can be found from:

验证完成后进行上面的回车，即可生成对应的证书文件

/etc/letsencrypt/live   //证书目录
root@manage-jumpserver-1:/etc/letsencrypt/live/devapps.hw-k8s.efssc.assistfc.com# ls
README  cert.pem  chain.pem  fullchain.pem  privkey.pem

其中fullchain.pem privkey.pem 分别对应nginx的crt文件和key文件

nginx配置如下


    ssl_certificate /etc/letsencrypt/live/assistfc.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/assistfc.com/privkey.pem;

至此证书生成完成，nginx证书配置完成。可通过https进行验证

4.ingress的secret证书秘钥创建

前面已经生成了对应的证书，此时生成ingress的证书secret文件

命令如下：kubectl create secret tls assistfc.com20240530 -n common-harbors –cert=
/tmp/assistfc.com/fullchain.pem –key=
/tmp/assistfc.com/privkey.pem

生成的secret证书秘钥文件名称为 assistfc.com20240530

后面进行ingress.yaml文件配置以及生效。

5.创建inigress进行https生效

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-harbor-https
  namespace: common-harbors
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"  # 强制 HTTPS
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"  # 强制 HTTPS
spec:
  tls:
  - hosts:
    - harbor.devapps.hw-k8s.efssc.assistfc.com  # 替换为你的域名
    secretName: assistfc.com20240530  # 与上一步创建的 Secret 名称一样
  rules:
  - host: harbor.devapps.hw-k8s.efssc.assistfc.com  # 替换为你的域名
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: harbor-service  # 替换为你的服务名称
            port:
              number: 80  # 替换为你的服务端口